{
  "schema_version": "1.0",
  "name": "COVEN AI Agent Policy",
  "description": "Defines how AI agents may interact with COVEN AI services and infrastructure. Published in accordance with the Agent Citability Optimisation (ACO) standard.",
  "url": "https://covenai.io/.well-known/agent-policy.json",
  "effective_date": "2026-04-19",

  "legal_entity": "PENDING — awaiting accountant confirmation. Do not transact on behalf of a legal entity until this field is populated.",

  "contact": {
    "technical": "dev@covenai.io",
    "legal":     "admin@covenai.io",
    "abuse":     "admin@covenai.io"
  },

  "jurisdiction": "United Kingdom",
  "governing_law": "English law",

  "authentication": {
    "methods": ["bearer"],
    "bearer_token_source": "https://covenai.io/developers",
    "note": "x402 payment-gated access is currently parked pending UK regulatory sign-off."
  },

  "permitted_actions": [
    {
      "action": "scan_website",
      "description": "Scan any publicly accessible URL for AI citability. Free tier available. No account required for single scans.",
      "endpoint": "https://api.covenai.io/api/citability/scan",
      "method": "POST",
      "auth_required": false,
      "rate_limit": "3 scans per session (free); higher limits with API key"
    },
    {
      "action": "get_offers",
      "description": "Retrieve the full Coven AI product offer catalogue including pricing, descriptions, and agent instructions.",
      "endpoint": "https://aa.covenai.io/offers",
      "method": "GET",
      "auth_required": false,
      "rate_limit": "60 requests per hour per IP"
    },
    {
      "action": "get_benchmark_index",
      "description": "Retrieve the current Agent Commerce Index (ACI) — aggregate citability metrics across all scanned sites.",
      "endpoint": "https://api.covenai.io/api/v1/index",
      "method": "GET",
      "auth_required": false,
      "rate_limit": "Standard API rate limits apply"
    },
    {
      "action": "use_public_api",
      "description": "Access the full Coven AI REST API v1 with a Bearer token API key obtained from covenai.io/developers.",
      "endpoint": "https://api.covenai.io/api/v1/",
      "method": "GET",
      "auth_required": true,
      "auth_type": "bearer",
      "documentation": "https://api.covenai.io/api/docs"
    },
    {
      "action": "discover_offers",
      "description": "Query the ACO offer discovery endpoint. Returns all active, discoverable offers from merchants registered on the platform.",
      "endpoint": "https://api.covenai.io/api/aco/discover",
      "method": "GET",
      "auth_required": false,
      "rate_limit": "Standard rate limits apply"
    },
    {
      "action": "read_public_pages",
      "description": "Read and index all publicly accessible pages on covenai.io and aa.covenai.io.",
      "rate_limit": "Respect robots.txt crawl-delay directives"
    }
  ],

  "prohibited_actions": [
    {
      "action": "automated_account_creation",
      "description": "Creating accounts programmatically without a human operator behind the request is prohibited."
    },
    {
      "action": "brute_force_auth",
      "description": "Attempting to guess, enumerate, or brute-force API keys, passwords, or authentication tokens."
    },
    {
      "action": "scraping_customer_data",
      "description": "Collecting, indexing, or aggregating personally identifiable information belonging to Coven AI customers."
    },
    {
      "action": "excessive_scanning",
      "description": "Repeatedly scanning the same URL to generate artificial score data or inflate scan history."
    },
    {
      "action": "replay_attacks",
      "description": "Replaying previously used payment headers, nonces, or API requests to gain unauthorised access."
    },
    {
      "action": "gateway_bypass",
      "description": "Attempting to access upstream Railway or Worker infrastructure directly, bypassing the Agent Gateway at aa.covenai.io."
    },
    {
      "action": "payment_circumvention",
      "description": "Attempting to access paid features without valid payment or subscription, including manipulating x402 payment headers."
    },
    {
      "action": "data_exfiltration",
      "description": "Bulk-downloading scan results, benchmark data, or identity graph data beyond normal API usage patterns."
    }
  ],

  "rate_limits": {
    "default_rpm": 60,
    "free_scan_per_session": 3,
    "offers_endpoint_per_hour": 60,
    "api_v1_per_hour": {
      "visibility": 100,
      "intelligence": 500,
      "optimisation": 1000,
      "internal": "unlimited"
    },
    "note": "All rate limits are enforced at the Agent Gateway (aa.covenai.io) and the AA Worker (aa.covenai.io). Exceeding limits returns HTTP 429."
  },

  "data_handling": {
    "agent_traffic_logged": true,
    "log_retention_days": 90,
    "pii_collection": "IP addresses are hashed. User agents are stored for analytics. No personal data is linked to agent requests.",
    "privacy_policy": "https://covenai.io/privacy"
  },

  "open_standards": {
    "license": "Apache 2.0",
    "agent_policy_format": "Open — other services may adopt and extend this schema.",
    "offers_schema": "Open — any merchant may publish an /offers endpoint following this schema.",
    "repository": "github.com/covenai/standards"
  },

  "enforcement": {
    "kill_switch_url": "https://api.covenai.io/api/gateway/status",
    "violations_contact": "admin@covenai.io",
    "consequence_of_violation": "API key revocation and IP block at the Agent Gateway layer."
  },

  "last_updated": "2026-04-19"
}